From owner-freebsd-isp@FreeBSD.ORG  Tue Feb 12 17:46:39 2013
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 7DB62A18
 for <freebsd-isp@freebsd.org>; Tue, 12 Feb 2013 17:46:39 +0000 (UTC)
 (envelope-from ml@my.gd)
Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46])
 by mx1.freebsd.org (Postfix) with ESMTP id 188546D9
 for <freebsd-isp@freebsd.org>; Tue, 12 Feb 2013 17:46:38 +0000 (UTC)
Received: by mail-wg0-f46.google.com with SMTP id fg15so268110wgb.25
 for <freebsd-isp@freebsd.org>; Tue, 12 Feb 2013 09:46:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=x-received:content-type:mime-version:subject:from:in-reply-to:date
 :cc:content-transfer-encoding:message-id:references:to:x-mailer
 :x-gm-message-state;
 bh=78OjtOjh8tH22/CWbkisZa3k4BhNSfMtdpm58Ky3iWg=;
 b=JxDA/HfzTnc0OrAhnmzoVcviWMHt4Zgk3xAbDkLKvn0VR3NI9p3U26aiZJLjfbAyFX
 WKP6USkcsLTOWS0PklEQ4DtllNwT6OUxjLw4nmCUn9rrwouYAvMaaVFqw38mfohRprLH
 cV4Hq+yDvOftGuiDPHCtlAHfXoGdRNvXW2rGip9WbyMtxcHR1Yo4eDyPJAdJbbCLVhnY
 jCNIyNtcFRVkZyx1/6nzJuvHy744VwYsmyglOqzzX8MCXlNNDW4wiBKHDerMn4Vbdepz
 7PTAqswfTM4WFJxPKsv7wLzW0A1TSEMUu5WeWpjDlfV4Cu6PH5B62ZT5qmqabBnAEjlL
 Y3Aw==
X-Received: by 10.180.109.82 with SMTP id hq18mr5067955wib.0.1360691191752;
 Tue, 12 Feb 2013 09:46:31 -0800 (PST)
Received: from dfleuriot-at-hi-media.com ([83.167.62.196])
 by mx.google.com with ESMTPS id fg6sm21438081wib.10.2013.02.12.09.46.27
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Tue, 12 Feb 2013 09:46:30 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Subject: Re: FreeBSD DDoS protection
From: Fleuriot Damien <ml@my.gd>
In-Reply-To: <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
Date: Tue, 12 Feb 2013 18:46:26 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <79C9AC81-7937-4C2D-8514-51CAEAF314E7@my.gd>
References: <SNT002-W152BF18F12BD59F112A1CBAE5040@phx.gbl>
 <321927899.767139.1360461430134@89b1b4b66ec741cb85480c78b68b8dce.nuevasync.com>
 <51179708.2030206@epipe.com> <op.wsehxssd34t2sn@tech304.office.supranet.net>
 <511A733E.3000208@yahoo.de>
 <875329286.93002.1360690465766@d94655abdbc041fe9f54c404b6b4e89c.nuevasync.com>
To: khatfield@socllc.net
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQnDxkZRfKaDgjog6jiGN5MdiO20jexwDmOWvfU2ImaSoWo7K5S4c5BeUGgPwfGDGpVOccuf
Cc: Norbert Aschendorff <norbert.aschendorff@yahoo.de>,
 "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org>
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
 <mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2013 17:46:39 -0000


On Feb 12, 2013, at 6:34 PM, khatfield@socllc.net wrote:

> As my response stated filter ICMP except where necessary. I can state =
coming from a mitigation background that there are ways to safely do it =
without causing any issues. However, yes, you can still filter ICMP and =
remain compliant with an example pf rule like:
> icmp_types =3D "{ echoreq, unreach }"
>=20

breaks traceroute :(



> But in real life situations under constant attacks, blocking ICMP can =
be a large part of keeping businesses online.
>=20

YMMV but I'd advise rate limiting instead of plain blocking.